Biyernes, Mayo 25, 2012

Intrusion to Employees’ Protected Zone of Privacy

With the increasing rate of unemployed Filipinos, can a social media network be a tool for an employer to determine the most suitable candidate? With the advent of the technology, can these social networking sites work for the employees’ advantage in presenting themselves as better qualified choice in performing the task at hand?

Few questions, hypothetically asked following the current happening and even lawsuits confronted by employers in the United States, who dared to include applicants’ Facebook password or access, as part of their recruitment requirement. Bringing the same scenario in Philippine setting would call for another long legal battle between the sides of the employer and employee.

Filipinos, like the rest of the world, use social media to announce every happy event in their lives and vent about day-to-day frustrations regarding their families, love life and even about their jobs. They post photos, publish what’s on their minds and share career and all other personal information. It has been their Personal Journal, their Diaries. Their Facebook profile can be overflowing with information that could be used to piece together a detailed composite of a job applicant. This could be a source of anything and everything about one’s person, his inner being, his thoughts and his feelings. And to provide access to another person, is the same as if you are surrendering your right to your private life.

The weighty provisions of the Bill of Rights, Article III of the 1987 Constitution mentioned PRIVACY in two important sections. Section 2 salutes not only the power of the State over a person’s home and possessions, but more importantly, it protects the privacy and sanctity of the person himself,[1] to wit:
“The right of the people to be sure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, xxx.”
Related to the right mentioned in the above stated Section is the right to privacy of communication and correspondence which provides:
“The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”
The guarantee, which the law ensures, extends to all forms of communication and correspondence. The protection should include both the tangible and intangible objects. To restrict and limit the safeguard there should be a lawful court order and valid statutes to justify the State in interfering with ones privacy. Privacy should extend to what you have, on what you are, in the Cyber world. Personal and confidential matters in this social networking site should be kept as individual matters which gained entitlement of privacy. What was intended to be hidden from the general public should remain unseen, so that’s the beauty of privacy.

Employers, who would ask to submit the applicants’ access to their account just to qualify to their list of prospective applicants, violate these individuals’ right to privacy. It is not fair for the company to look into, only for their interest and discriminately dig through applicants’ private lives. This would further lead to consequences for discrimination, the company’s ability to select the best applicant has been irreparably compromised by looking into what’s there to find in their private accounts. There might be biases as to their illnesses, religion, political affiliations, sexual orientation and other factors that have been exposed by intruding into their private lives.

It will be arbitrary and oppressive for employers to ask for the password since there lies no relevance to the work being applied for. It does have nothing to do with the skills and abilities required for a job. It will be absolutely against the business ethics especially in recruitment. It was even a far cry from background check because traditionally, companies would look into previous employment that have a direct bearing on the applicants’ abilities to do the job. They would investigate for criminal records and colleges where they are from. Check of financial records would even be questionable at best.

Employers who are expected to be in favor of the access requests say that doing so will prompt and alert them to red flags such violent or other troubling behaviour of these applicants. But then again, this is not sufficient to justify the intrusion. There are many ways to kill a cat, and obliging a job applicant to submit to the employer’s access request is not one. There are better ways to determine the skills, abilities and attitude towards work of one applicant and compel him for an access is the same as asking him to surrender his house keys and that’s going beyond against his privacy.

If the issue will be pushed into legislation, to fill the gaps of present social and economic realities, again, the employees will definitely win the hearts and approval of the legislators. Majority will go in favor of continuously protecting the interest of the employees and strengthening them as the weaker force compared to capita. Even if we tend to adapt to the present technology and has successfully brought forth more complexities in life, no one should be forced to submit to ones invasion of right to privacy. For in this land, still, social justice rules.



[1] Bernas, Joaquin G. The Constitution of the Republic of the Philippines; A Commentary, 1987.





Disclaimer: This work is a compilation of information gathered and some part of which is the author’s humble opinion or expression and observation in relation to the fulfillment of a requirement set forth in the study of Technology and the Law. It should not be taken as legal advice or any manner other than for the stated academic purpose only.

Biyernes, Mayo 4, 2012

In Our Eyes: YOU are indeed a Cyber Intruder!

The standoff at Scarborough Shoal, was believed to be eventually transitioned online when just recently University of the Philippines (UP) website and several Philippine government websites were either defaced or attacked purportedly by Chinese hackers. Malacanang even admitted that they have come under the DDOS attack from servers whose IP addresses were reportedly based in China. The attacks were in response to the ongoing standoff at the disputed island just West of the country, between China and the Philippines. With what appears Chinese hackers drawing first blood by defacing UP website and exclaiming, “We come from China! Huangyan Island is Ours!”

          This caused Filipino hackers to retaliate by also defacing several Chinese websites, the sub-websites of the Chinese University Media Union(UMU) which main page was replaced by their declaration, “Scarborough Shoal is Ours!” as loud, screaming music played in the background. Another note on the page said, “Chinese government is clearly retarded,” just above the ASCII image rendition of the popular Guy Fawkes mask, which has been used as a symbol by international hacking group Anonymous. Filipino hacktivist groups, stressed how their attacks were merely responses to the initial breach on the UP website, and said that they are not trying to start anything but just telling that they do not want to be bullied in their own cyberspace.

          The above cited facts taken from the news items of The Online News Portal of TV5, (http://www.interaksyon.com/infotech) lead us to an issue whether or not we can make these foreign hackers liable in hacking or cracking Philippine websites. How? Apart from the physical territorial dispute, can we now establish a liability against them considering this as a breach of our cyber territories?   

          Websites should be considered as extension of our territory, there is a clear concept of ownership here. Just like an ordinary property, few of the many attributes of ownership are the right to exclude other person from its enjoyment and the right to enclose/fence it or protect it from intrusion. The principle can be applied to both issues but let us leave the resolution of the land dispute over Scarborough to the authorities and focus more on the escalated full-scale cyber warfare between the two countries’ netizens. The purported Chinese hackers successfully attacked some of the Philippine cyber-territories and reveal its patent vulnerabilities as well as the need for more stringent cybersecurity standards in the Philippines. Needless to say, we failed to strongly fenced our territories or build and strengthen our firewalls. We became powerless to defend our rights over the said territory. Nevertheless, in the eyes of anyone, these foreign hackers are guilty of intruding and causing interference within our own cyberspace.

          The 2001 Featured Section of The Investigative Report Magazine by the Philippine Center for Investigative Journalism (http://pcij.org/imag/Online/cybercrimes.html) reveals that in the Philippines, computer crimes range from petty website defacement - online equivalent of vandalism – to sophisticated intrusions. Such security breach have amounted to significant financial losses and are becoming rampant as to seriously threaten industries, businesses, government offices and private citizens.

          As defacement is equivalent to online vandalism, the term also includes criminal damage such as graffiti directed towards any property without permission of the owner. Vandalism per se is sometimes considered one of the less serious common crimes, but it can become quite serious and distressing when committed extensively, violently or as an expression of hatred and intimidation.

          In June 2000, as a reaction to the $10 billion damages caused by the “I Love You” virus unleashed by computer programming student, Onel de Guzman, the Philippine Congress passed the Republic Act 8792, also known as the Electronic Commerce (E-commerce) Act – penalizing computer crimes like hacking, spreading viruses and online piracy. This virus illustrated that a person armed with a computer could, from a distant location, attack and/or disrupt computers and networks worldwide and cause severe damage. In order to curb the threat posed by cybercrime, this law provides for the legal recognition and admissibility of electronic data messages, documents and signatures. The salient features of the Act are as follows:

·         Provides for the admissibility of electronic documents in court cases;

·         Penalizes limited online crime, such as hacking, introduction of viruses and copyright violations;

·         Promotes e-commerce in the country, particularly in business-to-business and business-to-consumer transactions whereby business relations are enhanced and facilitated and consumers are able to find and purchase products online;

·         Aims to reduce graft and corruption in government as it lessens personal interaction between government agents and private individuals.



But with the issue at hand, let us focus on how we can make these foreign hackers liable applying the penal provision of this Act:



          SEC. 33. Penalties. – The following Acts shall be penalized by fine      and/or imprisonment, as follows:



a) Hacking or cracking which refers to unauthorized access into or interference           in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic document shall be punished by a minimum fine of one hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;



xxx.



It is clear that the purported acts of these foreign hackers fall on the plain meaning of the prohibited act of hacking which the law defines as the unauthorized access to or interference, without the consent of the owner, including the introduction of viruses and the like that will result in corruption, destruction, alteration, theft or loss of electronic data messages or electronic document. They can be held liable for a minimum fine of one hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years.



But there lies a question on how can we apply this penal provision to non-citizens of the Philippines. Recalling back, one of the characteristics of a penal statute is its GENERALITY, it will remain binding on all persons who live and sojourn in the Philippine territory. (Art. 14, New Civil Code) In the case involving an American citizen who committed the crime of illegal possession of firearms, the Court of Appeals held:



“The Philippines is a sovereign state with the obligation and the right of every government to uphold its laws and maintain order within its domain, and with the general jurisdiction to punish persons for offenses committed within its territory, regardless of the nationality of the offender. (Salonga and Yap, Public International Law, p. 169)



Granting arguendo, that the said website is an extension of our territory, virtual territory it is, having the essence and effect but not the appearance or form, but still it will remain our own domain. In their book, Who Controls the Internet?, Jack Goldsmith and Tim Wu present a compelling argument that geography and territory remain potent organizational and regulatory markers, even in the digital era. Now, concluding that the crime was committed within the location of the website, which is in the Philippines, these hackers can be validly said to have violated and should be held accountable for their actions under the Philippine law, RA 8792 to be specific.  



Now, here comes a bigger question, on how we can positively identify and ascertain who the foreign violators were. We lack the skills and equipment to pin point the said hackers apart from the fact of its geographical location. That badly ends the legal protection the E-commerce law can provide.   



PCIJ reveals through Atty. Jesus Disini, co-chair of the government’s IT and E-commerce Council (ITECC) Legal Cluster, the challenge is on law enforcement. Unfortunately, it suffers from all sorts of inadequacies – in particular, investigative skills especially in digital detective work and computer forensics and the corresponding state-of-the-art equipment. The NBI, for instance, still uses circa 1960s devices. Its agents survive on their own resourcefulness and the technical expertise provided occasionally by the U.S. Federal Bureau of Investigation (FBI). The most publicized criminal case filed involving the alleged stealing of proprietary data of the Thames International Business School by its own IT head and systems supervisor, had to hire Hongkong-based British professionals to do a probe using computer forensics equipment.



It is sad to note, even we have an E-commerce law to combat cybercrimes since the year 2000, still, it is not enough. It was even criticized to be insufficient and not specific. The situation is getting more alarming because cases just multiply. The said law was never been tested on foreign violators. We don’t have much prevailing jurisprudence yet. Thames being one of the test case, remained to be unresolved. The judicial system remains so slow considering only few lawyers and judges are knowledgeable in IT, not even aware of its effects and impacts to the society. We don’t have specialized courts with judges of cybercrimes who are experts on cyberlaw, both in terms of the legal and technical requirements.



By all means, we can make these foreign hackers liable. But the law is only one part of the solution, especially given the jurisdictional question posed by the transnational nature of cybercrimes. The consensus is that a treaty is the only long-term solution. International co-operation must also be strengthened in order for member countries to address the problem of cybercrime.



Another law on cybercrime should be enacted without delay, to supplement RA 8792, which conforms to internationally accepted standards. The passing of the Senate Bill 2796 or Cybercrime Prevention Act of 2012 is a good start.



According to Police Superintendent Gilbert Sosa, head of the Anti-Transnational Crime Division of the Criminal Investigation and Detection Group of the Philippine National Police (PNP-CIDG), to create a special agency with the technical expertise to monitor and regulate cyber-activities and law enforcement agencies manned by personnel with adequate computer skills and technical expertise and thoroughly trained to operate highly technical equipment, were part of the solution too.





Disclaimer: This work is a compilation of information gathered and some part of which is the author’s humble opinion or expression and observation in relation to the fulfillment of a requirement set forth in the study of Technology and the Law. It should not be taken as legal advice or any manner other than for the stated academic purpose only.


References:



        The Online News Portal of TV5 – http://interaksyon.com

        Investigative Report Magazine Online of the Philippine Center for Investigative Journalism – http://pcij.org/imag/Online/cybercrimes.html

        Country Report on CyberCrime: Philippines by Gilber Sosa  http://www.unafei.or.jp/english/pdf/RS_No79/No79_12PA_Sosa.pdf